CoreStreet Security Standards Compliance:
- Common Criteria/NIAP (National Information Assurance Partnership)
- U.S. Department of Defense Joint Interoperability Test Command
- FIPS 140-2
In June 1993, the sponsoring organizations of the existing US, Canadian, and European criterias (TCSEC, ITSEC, and similar) started the Common Criteria Project to align their separate criteria into a single set of IT security criteria. Version 1.0 of the CC was completed in January 1996. Based on a number of trial evaluations and an extensive public review, Version 1.0 was extensively revised and CC Version 2.0 was produced in April of 1998. This became ISO International Standard 15408 in 1999. The CC Project subsequently incorporated the minor changes that had resulted in the ISO process, producing CC version 2.1 in August 1999. Today the international community has embraced the CC through the Common Criteria Recognition Arrangement (CCRA) whereby the signers have agreed to accept the results of CC evaluations performed by other CCRA members. The US program for Common Criteria certification is called NIAP (National Information Assurance Partnership). Visit the NIAP site.
The CoreStreet Validation Authority has completed Common Criteria EAL3 evaluation. In doing so, the CoreStreet Validation Authority has become the world's only Distributed OCSP product to receive Common Criteria certification. See the certificate [pdf].
U.S. Department of Defense Joint Interoperability Test Command
The Joint Interoperability Test Command (JITC) is the Public Key Infrastructure (PKI) test and certification organization for the U.S. Department of Defense (DoD). JITC has replicated the DoD's PKI environment to ensure a commercial product will meet their PKI standards
when the product is fully deployed and in use within the DoD.
CoreStreet's Distributed OCSP Responder, Responder Appliance, and Validation Authority are JITC certified.
View the JITC approval letters:
- OCSP Responder Software version 5.1.5
- Responder Appliance 2400D
- Validation Authority version 5.1.5
What is FIPS 140? The Computer Security Division of the U.S. National Institute of Standards and Technology (NIST) manages a number of FIPS (Federal Information Processing Standards) covering cryptography, that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures). These standards have been adopted by the U.S. and Canadian governments to guide their purchases of products that are intended to protect the security of electronic information and e-commerce. FIPS 140-1 standard was created in 1994 and it specifies requirements for the proper design and implementation of products that perform cryptographic operations. In 2001 a more stringent version of the standard was released called FIPS 140-2. Products are certified under the FIPS CMVP (Cryptographic Module Validation Program). CMVP is managed by NIST and CSE, the Communications Security Establishment of the Canadian government. The CMVP charter is to make sure that products correctly implement FIPS-approved cryptographic standards. FIPS 140 has four levels and these levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed.
The CoreStreet Validation Authority is FIPS 140-2 Level 3 compliant when deployed with a FIPS 140-2 Level 3 Hardware Security Module (such as Chrysalis’s Luna SA or nCipher’s nShield). We store all private keys and perform all of our cryptographic operations within the HSM and vendor libraries, which means that the deployed application meets FIPS 140-2 Level 3 when used with this hardware. For more detail information on FIPS, visit the NIST website and see the approved FIPS 140 HSMs page.
- The official FIPS 140-2 standard